Podfile declarations and automated installation, while SwiftPM manages dependencies through the Package.swift manifest. Endor Labs supports all three systems to help secure your applications.
Using Endor Labs, application security engineers and developers can:
- Scan their software for potential security issues and violations of organizational policy.
- Prioritize vulnerabilities in the context of their applications.
- Understand the relationships between software components in their applications.
Software prerequisites
Before you begin, verify the following prerequisites:- All applications monitored by Endor Labs must be on CocoaPods versions 0.9.0 or higher, or Swift Package Manager versions 5.0.0 or higher.
- A
Podfileand aPodfile.lockmust be present in your CocoaPods project. - A
Package.swiftmust be present in your SwiftPM project. - Install Bazel version
5.x.x,6.x.x,7.x.x,8.x.x, or9.x.xif your project uses Bazel. Endor Labs supports Bzlmod with Bazel aspects. See Bazel for more information. - Your repository must include one or more files with
.swift,.h, or.mextension. - Install the Swift toolchain on the system running the scan for SwiftPM projects. To verify the installation, run the
swift --versioncommand. - Your repository must include the appropriate build manifest file:
PodfileandPodfile.lockfor CocoaPods projects.Package.swiftfor SwiftPM projects.WORKSPACEorMODULE.bazelfor Bazel projects.
Build CocoaPods projects
If thePodfile.lock is not present in your repository, run the following command to create the Podfile.lock for your Podfile.
Scan Bazel projects
To scan Swift projects that use Bazel, see Bazel for build instructions, supported rules, and scan commands. Endor Labs supports Bzlmod with Bazel aspects usingrules_swift >= 2.0.0. See Bazel Aspects for more information.
Run a scan
Perform a scan to get visibility into your software composition and resolve dependencies.Understand the scan process for CocoaPods projects
Endor Labs looks for thePodfile and Podfile.lock files to discover the dependencies used by an application.
- A
Podfileis a configuration file used in CocoaPods projects to specify the required libraries or packages for the project’s dependencies. - A
Podfile.lockfile is a CocoaPods specification file used to define the metadata and dependencies.
Podfile and Podfile.lock files must be present in your project for each Podfile.
Understand the scan process for SwiftPM projects
Endor Labs scans SwiftPM projects by locating thePackage.swift manifest file, which defines the Swift package’s dependencies, targets, and metadata. Version-specific manifest files using the format Package@swift-<version>.swift, for example Package@swift-5.7.swift, are also supported.
Configure private SwiftPM package repositories
Endor Labs supports fetching and scanning dependencies from private Swift package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See Swift package manager integrations for more information on configuring private registries.Known limitations
- Call graphs aren’t supported for Swift and Objective-C projects, including CocoaPods, SwiftPM, and Bazel.
- If a
Podfile.lockfile isn’t present, Endor Labs skips analyzing the project and presents a warning that it skipped the package.